Return 200 on HEAD requests to not invalidate tokens (#151)

Some email clients send preliminary requests to links to check for safety. We don't want
that to invalidate tokens.

CHANGELOG.md

@@ -35,6 +35,7 @@ Removes `authenticate_by_cookie` and `upgrade_passwordless_cookie` from controll
 ### Fixed
 
 - Remove reference to deleted generator file ([#149](https://github.com/mikker/passwordless/pull/149))
+- Return early on HEAD requests ([#151](https://github.com/mikker/passwordless/pull/151))
 
 ## 0.12.0 (2023-06-16)
 

app/controllers/passwordless/sessions_controller.rb

@@ -42,6 +42,10 @@ def create
  # @see ControllerHelpers#sign_in
  # @see ControllerHelpers#save_passwordless_redirect_location!
  def show
+ # Some email clients will visit links in emails to check if they are
+ # safe. We don't want to sign in the user in that case.
+ return head(:ok) if request.head?
+
  # Make it "slow" on purpose to make brute-force attacks more of a hassle
  redirect_to_options = Passwordless.redirect_to_response_options.dup
  BCrypt::Password.create(params[:token])

test/controllers/passwordless/sessions_controller_test.rb

@@ -322,5 +322,17 @@ class << User
 
  Passwordless.restrict_token_reuse = default
  end
+
+ test("responding to HEAD requests") do
+ user = User.create(email: "a@a")
+ passwordless_session = create_session_for(user)
+
+ token_path = "/users/sign_in/#{passwordless_session.token}"
+ head token_path
+
+ assert_equal 200, status
+ assert_equal token_path, path
+ assert_nil session[Helpers.session_key(user.class)]
+ end
  end
 end

test/test_helper.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require "simplecov"
-require "minitest/pride"
+require "minitest"
 
 SimpleCov.start do
  add_filter("test/dummy")